Tải bản đầy đủ - 0 (trang)
4 Jhanwar-Barua's IBE Scheme and Other Variations

# 4 Jhanwar-Barua's IBE Scheme and Other Variations

Tải bản đầy đủ - 0trang

Security of Identity-Based Encryption Schemes

73

Lemma 1 [14]. If (x1 , y1 ) ∈ Z2n is a solution to the congruence QCn (a, S1 ) and

(x2 , y2 ) ∈ Z2n is a solution to the congruence QCn (a, S2 ), then (x1,2 , y1,2 ) ∈ Z2n

is a solution to the congruence QCn (a, S1 S2 ), where

x1,2 =

x1 + x2

y1 y2

mod nandy1,2 =

mod n,

ax1 x2 + 1

ax1 x2 + 1

(4)

provided that (ax0 x1 + 1, n) = 1.

Moreover, x1,2 ∈ Z∗n if and only if (x1 + x2 , n) = 1.

Now we are able to describe the IBE scheme proposed by Jhanwar and Barua

[14]. In this scheme, Q(n, a, S) is the probabilistic algorithm described above to

ﬁnd solutions to congruences QCn (a, S)).

Jhanwar-Barua IBE (JB IBE) scheme [14]

Setup(λ): Generate (p, q) ← RSAgen(λ), compute n = pq, generate e ∈

Jn \ QRn , and choose a hash function h : {0, 1}∗ → Jn . Output the public

parameters P P = (n, e, h); the master key msk = (p, q, K) is the factorization of n together with a random key K of some pseudo-random function

FK : {0, 1}∗ → {0, 1, 2, 3} (FK chooses one of the four square roots of h(ID)

or eh(ID));

Extract(msk, ID): The private key is r = rj , where j = FK (ID) and r0 , r1 , r2 , r3

is an ordering of the square roots modulo n of h(ID) or eh(ID), depending

on which of them is a quadratic residue modulo n;

Encrypt(P P, ID, m): Assume m = m0 · · · m −1 is the -bit sequence to be

encrypted. The encryption process is as follows:

– Compute a = h(ID);

– Compute k =

;

– For i := 0 to k − 1 do

• Randomly choose si ∈ Z∗n and compute Si = s2i mod n;

xi , y¯i ) ← Q(n, ea, Si );

• Compute (xi , yi ) ← Q(n, a, Si ) and (¯

• Compute ci = mi · 2si yni +2 and c¯i = mi · 2si y¯ni +2 ;

– For i := k to − 1 do

• Compute 1 ≤ α ≤ k − 1 and 0 ≤ β ≤ k − 1 such that i = α · k + β;

• Use Lemma 1 to compute yi from (xα , yα ) and (xβ , yβ ), and y¯i from

xβ , y¯β );

xα , y¯α ) and (¯

• Set si = sα sβ mod n;

• Compute ci = mi · 2si yni +2 and c¯i = mi · 2si y¯ni +2 ;

– Return (c, c¯, x, x

¯), where c = c0 · · · c −1 , c¯ = c¯0 · · · c¯ −1 , x = (x0 , . . . , xk−1 ),

¯k−1 );

and x

¯ = (¯

x0 , . . . , x

Decrypt((c, c¯, x, x

¯), r): The decryption process is as follows:

– Compute a = h(ID);

– Compute k =

;

– For i := 0 to k − 1 do

74

F.L. T

¸ iplea et al.

x r +1

x

¯ r +1

• If ai ∈ QRn then mi = ci · i nj

else mi = c¯i · i nj

;

– For i := k to − 1 do

• Compute 1 ≤ α ≤ k − 1 and 0 ≤ β ≤ k − 1 such that i = α · k + β;

• Use Lemma 1 to compute either xi from xα and xβ , or x

¯i from x

¯α and

x

¯β , depending on weather a or ea is a quadratic residue;

• If ai ∈ QRn then mi = ci ·

– Return m = m0 · · · m −1 .

xi rj +1

n

else mi = c¯i ·

x

¯i rj +1

n

;

The soundness of JB IBE scheme follows easily from how associated polynomials can be computed from solutions to congruences QCn (a, S) and from

Lemma 1.

As one can see, in the

√ JB IBE scheme the encryptor needs to solve 2k

, while the decryptor solves none. The ciphertext

congruences, where k =

length is 2 + 2k log n bits for a plaintext of bits.

Regarding the security of the JB IBE scheme, it was argued in [14] that the

scheme is IND-ID-CPA secure. More precisely, it was shown the following.

Theorem 6 [14]. For any eﬃcient IND-ID-CPA adversary A against the

JB IBE scheme there exist eﬃcient algorithms B1 and B2 , whose running time

is about the same as that of A, such that

IBEAdvA,JB

IBE (λ)

≤ P RF AdvB1 ,F (λ) + 2 · QRAdvB2 ,RSAgen (λ) +

1

,

2k

provided that h is modeled as a random oracle, the QR assumption holds for

RSAgen, and F is a secure pseudo-random function.

Unfortunately, the JB IBE scheme is totally insecure. The ﬁrst security ﬂaw

was remarked in [9] and it can simply described as follows. If i = α · k + β and

j = β · k + α, then yi = yj (according to Lemma 1). Therefore, the bits mi and

mj are encrypted by using the same Jacobi symbol. This allows an adversary to

easily win the IND-ID-CPA security game (in the challenge phase, the adversary

chooses two messages m0 and m1 such that m0 has identical bits on the positions

these positions). This security ﬂaw can be

i and j, while m1 has diﬀerent bits on √

and we combine (xi , yi ) with (xj , yj )

overcame if we choose k larger than

only for i ≤ j [9]. In fact, k should be the least integer satisfying k(k+3)

≥ .

2

Although we correct the JB IBE scheme as above, the JB IBE scheme is

still insecure because from x0 , . . . , xk−1 one can compute 2si yni +2 for all i [18].

Indeed, let (x1 , y1 ) be a solution to QCn (a, S1 ) and (x2 , y2 ) be a solution to

QCn (a, S2 ). By Lemma 1, (x1,2 , y1,2 ) is a solution to QCn (a, S1 S2 ), where x1,2

and y1,2 are as in the lemma. Then, if a ∈ QRn and r ∈ SQRTn (a) we obtain

(x1 r + 1)(x2 r + 1) ≡n ax1 x2 + 1 + r(x1 + x2 ) ≡n (ax1 x2 + 1)(x1,2 r + 1)

which leads to

x1,2 r + 1

n

=

x1 r + 1

n

x2 r + 1

n

ax1 x2 + 1

n

(5)

Security of Identity-Based Encryption Schemes

75

Moreover, if S1 , S2 ∈ QRn , s1 ∈ SQRTn (S1 ), and s2 ∈ SQRTn (S2 ) we also

have

2s1 s2 y1,2 + 2

n

=

2s1 y1 + 2

n

2s2 y2 + 2

n

ax1 x2 + 1

n

(6)

no matter a is a quadratic residue or not (see [18] for more details).

Now, it is straightforward to show that the JB IBE scheme is not IND-IDCPA.

In [9], Elashry, Mu, and Susilo tried to improve the upper bound in Theorem 6

by dropping the factor 1/2k by using Damgard’s assumption. This assumption

says that it is hard to predict the Jacobi symbol of the next integer of a polynomial length sequence of consecutive integers. More precisely, given a λ-bit RSA

knowing

modulus n and an integer a, it is hard to predict a+poly(λ)+1

n

a

,

n

a+1

n

,...,

a + poly(λ)

n

where poly is a polynomial.

In [9], Damgard’s assumption is used as follows. Let (x1 , y1 ) be a solution to

QCn (a, S1 ) and (x2 , y2 ) be a solution to QCn (a, S2 ). By using Lemma 1, these

two solutions can be combined into a solution (x1,2 , y1,2 ) to QCn (a, S1 S2 ). Then,

the authors claimed that, by Damgard’s assumption, the probability of getting

the Jacobi symbol

2s1 s2 y3 + 2

n

(7)

from the sequence

2s1 y1 + 2

n

,

2s2 y2 + 2

n

(8)

is 1/2 (s1 and s2 are square roots of S1 and S2 , resp.). Apart from the fact

that the authors in [9] consider Damgard’s assumption as a proved result (which

is not the case), Damgard’s assumption cannot be applied to this case because

in between 2s1 y1 + 2 and 2s2 y2 + 2 may exist an exponential (in the security

parameter λ) number of integers. Moreover, (6) shows clearly that the Jacobi

symbol (7) can easily be obtained from the Jacobi symbols in (8) (recall that a

can be publicly computed and x1 and x2 are known either from the ciphertext

or can be computed from the ciphertext).

Later [10], the same authors (Elashry, Mu, and Susilo) tried to reduce more

the number of congruences to be solved in order to get associated polynomials,

and proposed a JB IBE-like scheme. As they have used Lemma 1 to combine

solutions, the ﬂaw described above [18] still remains.

76

4

F.L. T

¸ iplea et al.

Conclusions

Designing an IBE scheme from quadratic residuosity, more space eﬃcient than

the Cocks scheme, is an interesting and valuable objective. The solution proposed

by Boneh, Gentry, and Hamburg comes with a very elegant idea: associated

polynomials. Unfortunately, their solution uses a quartic time-complexity deterministic algorithm to compute such polynomials from congruences of the form

ax2 + Sy 2 ≡ 1 mod n. The characterization proposed by Jhanwar and Barua

for the solutions to such congruences is a valuable mathematical achievement

that leads to eﬃcient probabilistic algorithms to compute solutions. Unfortunately again, this probabilistic algorithm cannot be used in conjunction with

the Boneh-Gentry-Hamburg scheme. The way it can be used to obtain IBE

schemes, proposed by Jhanwar and Barua, leads to insecure schemes. The insecurity is generated by the fact that the Jacobi symbol of a solution obtained by

combining two solutions can be derived from public elements from the Jacobi

symbols of the corresponding solutions.

Summing up, the only secure IBE schemes from quadratic residuosity are the

Cocks and Boneh-Gentry-Hamburg (BasicIBE) schemes (due to space limitation, our exposition did not take into consideration the anonymous variants of

these schemes).

References

1. Attrapadung, N., et al.: Relations among notions of security for identity

based encryption schemes. In: Correa, J.R., Hevia, A., Kiwi, M. (eds.) LATIN

2006. LNCS, vol. 3887, pp. 130–141. Springer, Heidelberg (2006). doi:10.1007/

11682462 16

2. Barua, R., Jhanwar, M.P.: On the number of solutions of the equation Rx2 +Sy 2 =

1( mod N ). Indian J. Stat. 72–A, 226–236 (2010)

3. Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of

security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998.

LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998). doi:10.1007/BFb0055718

4. Bellare, M., Sahai, A.: Non-malleable encryption: equivalence between two notions,

and an indistinguishability-based characterization. In: Wiener, M. (ed.) CRYPTO

1999. LNCS, vol. 1666, pp. 519–536. Springer, Heidelberg (1999)

5. Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian,

J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001).

doi:10.1007/3-540-44647-8 13

6. Boneh, D., Gentry, C., Hamburg, M.: Space-eﬃcient identity based encryption

without pairings. In: Proceedings of 48th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2007, pp. 647–657. IEEE Computer Society,

Washington (2007)

7. Cocks, C.: An identity based encryption scheme based on quadratic residues. In:

Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 360–363.

Springer, Heidelberg (2001)

8. Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. In: Proceedings of

23rd Annual ACM Symposium on Theory of Computing, STOC 1991, pp. 542–552.

ACM, New York (1991)

Security of Identity-Based Encryption Schemes

77

9. Elashry, I., Mu, Y., Susilo, W.: Jhanwar-Barua’s Identity-Based Encryption Revisited. In: Au, M.H., Carminati, B., Jay Kuo, C.-C. (eds.) NSS 2014. LNCS, vol. 8792,

pp. 271–284. Springer, Berlin (2014)

10. Elashry, I., Mu, Y., Susilo, W.: An eﬃcient variant of Boneh-Gentry-Hamburg’s

identity-based encryption without pairing. In: Rhee, K.-H., Yi, J.H. (eds.) WISA

2014. LNCS, vol. 8909, pp. 257–268. Springer, Heidelberg (2015)

11. Goldreich, O., Lustig, Y., Naor, M.: On chosen ciphertext security of multiple

encryptions. IACR Cryptology ePrint Archive 2002:89 (2002)

12. Goldwasser, S., Cocks’ IBE scheme, bilinear maps. In: Advanced Cryptography.

MIT Lecture Notes, vol. 6876 (2004)

13. Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28, 270–

299 (1984)

14. Jhanwar, M.P., Barua, R.: A variant of Boneh-Gentry-Hamburg’s pairing-free identity based encryption scheme. In: Yung, M., Liu, P., Lin, D. (eds.) Inscrypt 2008.

LNCS, vol. 5487, pp. 314–331. Springer, Heidelberg (2009)

15. Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen

ciphertext attacks. In: Proceedings of 22nd Annual ACM Symposium on Theory

of Computing, STOC 1990, pp. 427–437. ACM, New York (1990)

16. Rackoﬀ, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and

chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576,

pp. 433–444. Springer, Heidelberg (1992). doi:10.1007/3-540-46766-1 35

17. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairings. In: Proceedings of Symposium on Cryptography and Information Security, Okinawa,

Japan, January 2000. Springer, Berlin (2000)

18. Schipor, A.: On the security of Jhanwar-Barua identity-based encryption scheme.

Personal communication (2016, submitted)

19. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R.,

Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg

(1985). doi:10.1007/3-540-39568-7 5

20. Watanabe, Y., Shikata, J., Imai, H.: Equivalence between semantic security and

indistinguishability against chosen ciphertext attacks. In: Desmedt, Y.G. (ed.)

PKC 2003. LNCS, vol. 2567, pp. 71–84. Springer, Heidelberg (2002)

Cryptographic Algorithms and Protocols

Long-Term Secure One-Round Group Key

Establishment from Multilinear Mappings

Kashi Neupane(B)

Department of Mathematics, University of North Georgia, Oakwood, GA, USA

knneupane@ung.edu

Abstract. A new concept of security, long-term security, was introduced

by Bohli et al. in 2007 as a security guarantee of a protocol even some

security assumptions become invalid after the completion of the protocol.

Following the notion of long-term security of Bohli et al., we present

a one-round long-term secure group key establishment protocol in the

random oracle model. The resulting solution is built on a multilinear

map and timestamps. The protocol also oﬀers integrity and strong entity

authentication. The proposed protocol remains secure if either a server,

who shares a symmetric key with each user, is uncorrupted or a Graded

Decisional Diﬃe Hellman problem is hard.

Keywords: Long-term security · Group key establishment · Multilinear

maps · Timestamps

1

Introduction

Key establishment protocol is one of the central areas of modern cryptography.

Once a common key is established, the key can be used for sending the large

amount of data within the group members in presence of adversaries. Before

public key cryptosytem was introduced, only symmetric key cryptosystems were

in use. These days, it is a common practice to construct a cryptosystem by using

either a symmetric key or a public key. There are advantages and drawbacks of

both cryptosystems. The major advantage of a protocol based on a symmetrickey cryptosystem is that it is very eﬃcient and easy to implement. The usual

requirement for the security of a symmetric cipher is that the cost of breaking the

scheme is close to exponential in the key length because its security is based on an

assumption that no better attack than bruit force search is known. On the other

hand, a protocol based on a public key cryptosystem is much more structured

as compared to a symmetric cipher because of algorithmic advances in solving

the underlying problem. The prediction of the cost of breaking the scheme is far

more challenging for public-key cryptography. The major drawback of a protocol

based on the former one is that a trusted server, a third party, knows the secret

key, whereas the major drawback of a protocol based on the latter one is that the

protocol is no more secure and useful in case the underlying harness assumption

breaks in the future. A long-term secure protocol is constructed based on two

c Springer International Publishing AG 2016

I. Bica and R. Reyhanitabar (Eds.): SECITC 2016, LNCS 10006, pp. 81–91, 2016.

DOI: 10.1007/978-3-319-47238-6 5

82

K. Neupane

hardness assumptions which are independent of each other. A combination of

two independent hardness assumptions keeps the protocol secure, even if one of

the hardness assumptions becomes invalid after the completion of the protocol.

Bohli et al. [3] introduced the concept of long-term security and proposed a

long-term secure two-party key establishment protocol. Their protocol requires

three rounds, and is based on Decisional Diﬃe-Hellman (DDH) assumption and

an assumption which is close to real-or-random indistinguishability of a symmetric encryption scheme. Later Mă

uller-Quade and Unruh [10] extended the notion

of long-term security in Universally Composable framework. Based on Bohli

et al. [3], Neupane and Steinwandt [12] proposed an authenticated long-term

secure three-party key establishment protocol based on Bilinear Decisional DiﬃeHellman (BDDH) assumption and real-or-random indistinguishability. Moreover,

Unruh [13] deﬁned a variant of the Universal Composability framework, everlasting quantum-UC, and showed that the concept of long-term security can

be implemented on secure communication and general multi-party computation

using signature cards as trusted setup. Neupane [11] presented a more eﬃcient,

two-round protocol, based on BDDH assumption and real-or-random indistinguishability. In this paper, we propose an authenticated long-term secure group

key establishment protocol based on an unauthenticated one-round protocol presented by Garg et al. [7] using timestamps proposed by Barbosa and Farshim [1].

We use Graded Decisional Diﬃe-Hellman (GDDH) assumption as an underlying

hardness assumption for public key cryptosystem, whereas the notion of real-or

-random indistinguishability has been used for the security of the underlying

symmetric cipher.

2

Preliminaries

As cryptographic tools we use a symmetric encryption scheme and a signature

scheme. As a mathematical tool we use Approximate Multilinear Mappings,

proposed by Garg et al. [7], which they have named as Graded Encoding System.

In this section, we review underlying cryptographic tools and the mathematical

tool.

2.1

Digital Signature Scheme

A digital signature is a method to sign a message electronically by a user which

can be veriﬁed by anybody later. A digital signature protects data from being

altered, respectively enables the detection of modiﬁcation. We quickly review the

deﬁnition of a signature scheme—for more details we refer to Menezes et al. [9].

Deﬁnition 1 (Signature Scheme). A signature scheme S = (K, S, V) is a

triple of polynomial-time algorithms:

– A probabilistic key generation algorithm K which takes the security parameter

1k as its input, and returns a key pair (pk, sk)—a public veriﬁcation key pk

and matching secret signing key sk;

Long-Term Secure One-Round Group Key Establishment

83

– A probabilistic signing algorithm S which takes message M ∈ {0, 1}∗ and

secret signing key sk as its inputs, and returns a signature σ on M ;

– A deterministic veriﬁcation algorithm V which takes a public key pk, a message

M , and a signature σ for M as its inputs, and returns 1 or 0, indicating

whether σ is a valid signature for M under the public key pk.

For pairs (sk, pk) output by K, we require that with overwhelming probability

the following condition holds: Vpk (M, Ssk (M )) = 1, for all messages M .

Deﬁnition 2 (Existentially Unforgeable Signature Scheme Under Chosen Message Attacks (UF–CMA)). A signature scheme S is said to be existentially unforgeable under chosen message attacks if for all probabilistic polynomial time adversaries A the following probability is negligible (in k):

P r[(pk, sk) ← K; (M, σ) ← ASsk (·) : Vpk (M, σ) = 1 ∧ (M, σ) = (Mi , σi )],

where Mi denotes a message submitted by A to Ssk (·).

2.2

Real-or-Random Indistinguishability

Based on one of Bellare et al. in [2], we present the concept of real-or-random

indistinguishability and we refer to the latter paper for a more detailed discussion. First we review the deﬁnition of symmetric encryption scheme and then

give the deﬁnition of real-or random indistinguishability.

Deﬁnition 3 (Symmetric Key Encryption Scheme). A symmetric key

encryption scheme SE = (Gen, Enc, Dec) is a triple of polynomial-time algorithms:

– A randomized key generation algorithm Gen on input of the security parameter

1k returns a secret key K ∈ {0, 1}∗ ;

– A randomized encryption algorithm Enc on input of a secret key K and a

message M ∈ {0, 1}∗ outputs a ciphertext C ∈ {0, 1}∗ ;

– A deterministic decryption algorithm Dec which takes the key K and a ciphertext C as its inputs, and outputs either a message M or an error symbol ⊥.

The scheme is said to provide correct decryption if for any secret key K and any

message M such that ciphertext C ← EncK (M ), it is the case DecK (C) = M .

To formalize the security notion needed later, we use a real-or-random oracle

EK (RR(·, b)) with the following properties: on input b ∈ {0, 1} and a plaintext

M ∈ {0, 1}∗ ,

– returns an encryption C ← EncK (M ) of M , if b = 1

– returns an encryption C ← EncK (r) of a uniformly at random chosen bitstring

r ← {0, 1}|M | , if b = 0.

84

K. Neupane

For a ppt algorithm A now consider the following experiment where b ∈ {0, 1}

is ﬁxed and unknown to A: a secret key K ← Gen(1k ) is created, and A has

unrestricted access to EK (RR(·, b)). Further, A has access to a decryption oracle

DK (·) which executes DecK (·), subject to the restriction that no messages must

be queried to DK (·) that have been output by the real-or-random oracle. We

=

measure A’s advantage as the diﬀerence Advror−cca

A

Advror−cca

(k) := Pr 1 ← AEK (RR(·,1)),DK (·) (1k ) K ← Gen(1k ) −

A

Pr 1 ← AEK (RR(·,0)),DK (·) (1k ) K ← Gen(1k )

Deﬁnition 4 (Real-or-Random Indistinguishability). A symmetric

encryption scheme SE is secure in the sense of real-or-random indistinguishabilis negligible

ity (ROR-CCA), if for all ppt algorithms A, the advantage Advror−cca

A

(in k).

2.3

Brief Overview of Encoding System

The Graded Encoding System is based on various level encoding of an element of

a coset of a polynomial ring. After brief overview of the underlying mathematical

tools, such as construction of a polynomial ring, and its coset, we introduce

the notion of Graded Encoding System. We brieﬂy review the multilinear map

procedures, one of the fundamental tools of our key exchange protocol. Finally,

we review the security assumption, Graded Decisional Diﬃe-Hellman (GDDH)

assumption in which the protocol is based on. For more detailed information

about GDDH, we refer to Garg et al. [7] and Coron et al. [6].

Consider a polynomial ring R = Z[x]/xn + 1 with an integer n which is large

enough to ensure the security. One generates a secret short ring element g ∈ R

and generates a principal ideal I = g ⊂ R. An integer parameter q and another

random secret z ∈ R/qR are also generated. With the use of such parameters,

each coset e+I of the quotient ring R/I is encoded in multiple levels. The level-i

encoding of the element e + I is an element of the form [c/z i ]q , where c is an

element from e + I. Such encodings can be added and multiplied, as long as the

norm of the numerator remains shorter than q. More speciﬁcally, the product of

κ encoding of level 1 gives the encoding of an element in the level κ. For such

level-κ encodings, one can then deﬁne a zero-testing parameter, pzt = [hz κ /g]q ,

for some small h ∈ R. This zero-testing parameter is used to determine whether

a level-κ encoding c is zero or not by computing [pzt · c/z κ ]q = [hc/g]q . When c

is small the product [pzt · c/z κ ]q is small, while c is large the product [pzt · c/z κ ]q

is large. Hence, zero from non-zero can be distinguished. Moreover, using this

zero-testing parameter, two encodings of the two diﬀerent elements from two

encodings of the same element can be distinguished by subtraction.

Garg et al. [7] deﬁned their notion of an approximate multilinear map which

they call graded encoding system. In this notion, there are levels of encodings.

Ring elements α ∈ R are considered as plaintexts, α.g in the source group are

considered as level-1 elements, and a product of i level encodings represents leveli encodings. So, level-κ corresponds to the target group from multilinear maps.

Long-Term Secure One-Round Group Key Establishment

85

Now we review the deﬁnition of κ-graded encoding system and then GCDH

assumption from Garg et al. [7].

Deﬁnition 5 (κ-Graded Encoding System). A κ-Graded Encoding System

(α)

for a ring R is a system of sets S = {Si ⊂ {0, 1}∗ : α ∈ R, 0 ≤ i ≤ κ}, with

the following properties:

(α)

– For every ﬁxed i, the sets {Si : α ∈ R} are disjoint.

– There are binary operations + and − (on {0, 1}∗ ) such that for every α1 , α2 ∈

(α )

(α )

R, every index i ≤ κ, and every u1 ∈ Si 1 and u2 ∈ Si 2 , it holds that

(α1 +α2 )

(−α1 )

u 1 + u 2 ∈ Si

and −u1 ∈ Si

, where α1 + α2 and −α1 are addition

and negation in R.

– There is an associative binary association × on (on {0, 1}∗ ) such that for

(α )

(α )

every α1 , α2 ∈ R, every i1 , i2 with i1 + i2 ≤ κ, and u1 ∈ Si1 1 and u2 ∈ Si2 2 ,

(α ·α )

1

2

it holds that u1 × u2 ∈ Si1 +i

. Here α1 · α2 is multiplication in R, and i1 + i2

2

is integer addition.

2.4

Multilinear Map Procedures

Instance Generation. The randomized InstGen(1λ , 1κ ) takes the security parameters λ and κ, as its inputs and returns (params, pzt ), where params is a description of a κ-Graded Encoding System and pzt is a zero-testing parameter.

Ring Sampler. The randomized samp(params) takes a nearly uniform element

(α)

α ∈R R as its input, and returns a level-zero encoding a ∈ S0 , Note that the

(α)

encoding of a does not have to be uniform in S0 .

(α)

Encoding. The Enc(params, i, a) takes a level-zero encoding a ∈ S0 for some

(α)

α ∈ R and index i ≤ κ as inputs and returns the level-i encoding u ∈ Si for

some α.

Re-Randomization. The randomized reRand(params, i, u) rerandomizes encodings to the same level i, as long as the initial encoding u is under a given noise

bound.

Addition and Negation. Given params and two encodings relative to the same

(α )

(α )

(α +α )

level, u1 ∈ Si 1 and u2 ∈ Si 2 , we have add(params, u1 , u2 ) ∈ Si 1 2 and

(−α1 )

neg(params, u1 ) ∈ Si

, subject to bounds on the noise.

(α1 )

Multiplication. For u1 ∈ Si

u1 × u 2 ∈

(α ·α )

Si+j1 2 .

(α2 )

and u2 ∈ Sj

, there is mul(params, u1 , u2 ) =

(0)

Zero-Test. The procedure Zero(params, pzt , u) returns 1 if u ∈ Sκ

erwise.

and 0 oth-

Extraction. This procedure extracts a “canonical” and “random” representation of ring elements from their level-κ encoding. More speciﬁcally,

ext(params, pzt , u) outputs s ∈ {0, 1}λ such that:

### Tài liệu bạn tìm kiếm đã sẵn sàng tải về

4 Jhanwar-Barua's IBE Scheme and Other Variations

Tải bản đầy đủ ngay(0 tr)

×